VMware Cloud Community
zenking
Hot Shot
Hot Shot
‎02-25-2020 06:51 AM
Jump to solution

Key file for vCenter certificate?

I generated a CSR through the vCenter web interface (Administration>Certificate Management>Machine SSL Certificate>Actions>Generate CSR). I submitted the csr and got the certificate back, but I need the private key file. Can anyone tell me where on the vcenter server the csr generation process would have put that by default? Most of the documentation I've seen is for the certificate manager command and uses a switch for the file location, but there isn't much documentation for the web client.

Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
1 Solution

Accepted Solutions
zenking
Hot Shot
Hot Shot
‎02-26-2020 06:32 AM
Jump to solution

Well, I finally managed to get back into the vcenter web consoles by clearing the HSTS settings. In the browser.

How to clear HSTS settings in Chrome and Firefox

Be aware that if you get a message like the one below, it tries to pin the rap on the website.

"Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to 172.28.211.35. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.

Learn more…

Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust 172.28.211.35:5480 because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER"

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

View solution in original post

0 Kudos
6 Replies
scott28tt
VMware Employee
VMware Employee
‎02-25-2020 06:55 AM
Jump to solution

Why not add this to your existing thread rather than start another?

  Solved: Create new csr for vCenter ssl cert


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-25-2020 07:17 AM
Jump to solution

I considered doing that, but since I marked it with a correct answer, so I don't think many people will look at it unless they're having the first issue I wrote about. Since this is a completely separate certificate issue, I also figured it would be better to start a new thread.

Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-25-2020 07:39 AM
Jump to solution

Found the answer in this reddit thread.

vCenter 6.7 Replacing Machine Cert Private Key Help : vmware

Run command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR > /path/filename.key

Looks like I wiped out the key while I was testing, so I'll need to start over. I'd also like to submit a bug report to vmware so they can add a way to save the key somewhere when the csr is generated in the web client. If someone could point me in the right direction for that, I'd appreciate it.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-25-2020 10:41 AM
Jump to solution

So I got a new cert and applied it. It's working correctly for the 5480 management page, but I get an error when I try to go to the vcenter client page. Any ideas?

[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - Failed to connect to VMware Lookup Service https://server-host-name:443/lookupservice/sdk - SSL certificate verification failed..
VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-25-2020 01:03 PM
Jump to solution

Keeps getting worse. I reverted to the snapshot I created before installing the new certificate, and now I get this message on both the web client and the vami:

"(server URL) has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it."

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-26-2020 06:32 AM
Jump to solution

Well, I finally managed to get back into the vcenter web consoles by clearing the HSTS settings. In the browser.

How to clear HSTS settings in Chrome and Firefox

Be aware that if you get a message like the one below, it tries to pin the rap on the website.

"Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to 172.28.211.35. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.

Learn more…

Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust 172.28.211.35:5480 because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER"

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos